As recently flagged by the Attorney General, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (PA Bill) just introduced into the Australian Parliament includes a quantum leap in the maximum fine available for serious or repeated invasions of an individual's privacy (i.e. for serious or repeated breaches of the Privacy Act/Australian Privacy Principles - together the APPs) - but that is not all!
Even before the Attorney‑General's review into the Privacy Act (AG's Review) is completed and the amendments to be introduced into Parliament by the Government are announced (expected later this year), true to his word the Attorney‑General has included some very significant amendments to the APPs in the PA Bill. We expect the PA Bill will pass by the end of the year without much change and will have a significant impact on all organisations subject to the APPs.
What’s going to Change?
Below we briefly highlight, of course subject to any changes made to the PA Bill as it passes through Parliament, the key (or most impactful) changes as we see them that will be brought about by the passing of the PA Bill:
1. Increased fine
The headline change, of course, is the minimum twenty five times increase in the current maximum penalty (i.e. of up to $2.2 million) for a serious invasion of privacy or repeated invasions of privacy up to the greater of:
- $50 million;
- three times the value of the benefit obtained during the contravention; and
- 30% of "adjusted turnover" (essentially revenue) during the "breach turnover period".
The "breach turnover period" (on which revenue the 30% will be applied) is the greater of:
- the 12 months ending at the end of the month in which the contravention ceases (or proceedings in relation to the contravention are instituted); and
- the period starting at the beginning of the month in which the contravention began occurring and which ends at the end of the month in which the contravention ceases (or in which proceedings in relation to the contravention are instituted).
Note: This is not limited to 12 months revenue but, subject to when the contravention occurs (presumably only back to the date of the passing of the PA Bill) this could be 30% of revenue over the number of years for which the contravention continues – which could be a staggeringly large amount.
2. Increased extraterritorial reach
Reflecting the views of the OAIC in the recent Uber determination, the seemingly small amendment to section 5B(3) of the Privacy Act (deleting section 5B(3)(c)), effectively extends the reach of the APPs to all organisations and businesses that 'carry on business in Australia', whether or not they collect personal information directly from individuals in Australia. While we have previously commented on this in respect of the Uber determination, this brings the extraterritorial reach of the APPs more in line with the position under the GDPR/UK GDPR. This will be of significant concern to those offshore based organisations which, as third party vendors, provide services to Australian organisations which were, pre-Uber determination, not considered subject to the APPs. These organisations must now comply with the APPs much like offshore third party vendors are subject to the GDPR/UK GDPR.
3. Increased available remedies
Additional 'remedies' (or what can be required of organisations) have been given to the OAIC. In practice these will have a significant impact, whether the determination against the organisation arises from a complaint or as the result of an OAIC own motion investigation:
- the OAIC may require organisations to engage an independent adviser (approved by the OAIC) to review the privacy acts and practices of the organisation, the steps taken to ensure the relevant conduct is not repeated or continued and "any other matter specified in the declaration that is relevant to those acts or practices, or that complaint" (i.e. effectively outsourcing the OAIC's ongoing monitoring of compliance with any remedial requirements – expanding the reach of the OAIC without adding employees); and
- in addition to publication of the determination on the OAIC website, organisations may be required to prepare an approved statement describing the conduct the organisation engaged in, the steps taken (or to be taken) to ensure the conduct is not repeated and any other information required to be declared by the OAIC and either or both of:
- provide a copy of that statement to each individual affected by the conduct the subject of the determination; and/or
- publish the statement in the manner specified by the OAIC (e.g. on your website), all of which are to occur within 14 days of the determination requiring this.
Clearly there is no longer anywhere to hide. Even if no one looks up the OAIC's website to determine what decisions have been made against an organisation, this publication requirement means the organisation itself must tell the 'world' of its privacy wrongdoing. In particular, this publication requirement may cause even further complications for listed companies which have continuous disclosure obligations.
The 'outsourcing' of the assurance/review has been used successfully as part of enforceable undertaking regime by the OAIC to date. This significantly expands the role for this and, we suspect, will be a constant feature of most determinations after the PA Bill is passed.
4. Increased information gathering powers
There are also a number of changes increasing the powers of the OAIC to request information and documents (and answers to questions) extending these beyond the organisation the subject of the relevant eligible data breach. That is, to any other entity that may have, in the OAIC's reasonable opinion, information or documents relating to the other organisation’s eligible data breach. Further, where there are two or more failures by an organisation to provide information or answers to questions asked by the OAIC in respect to eligible data breaches, then there is a new criminal offence provision where such behaviour shows a system of conduct or pattern of behaviour resulting in those failures.
5. Increased sharing of information
Finally, the PA Bill formalises the sharing of information by and to the OAIC with other agencies and, in general, the OAIC's ability to disclose information it has obtained during its investigation or consideration of a complaint if such is in the public interest. We suspect the new disclosure right will be exercised where the OAIC feels that such is necessary to protect individuals or assist them to protect themselves from the relevant infringing conduct of an organisation.
Clearly these extraordinary (in the case of the proposed new maximum fines) and other significant changes should concern all organisations subject to the Australian privacy law (now including offshore service providers).
Given these changes in the PA Bill, the current publicity around the recent significant data breaches that seem to be an almost weekly occurrence and the expected uplift of the Privacy Act/APPs resulting from the AG's Review, now is the time to assess the status of your privacy and cyber security compliance and whether and what you need to do to uplift it to avoid being a 'headline' for being the first to have a significant fine imposed on you under the new regime.